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Abstract 

Quantum cryptography has been extensively studied in the last twenty years, but 
information-flow security of quantum computing and communication systems has been 
almost untouched in the previous research. Duo to the essential difference between 
classical and quantum systems, formal methods developed for classical systems, in- 
cluding probabilistic systems, cannot be directly applied to quantum systems. This 
paper defines an automata model in which we can rigorously reason about information- 
flow security of quantum systems. The model is a quantum generalisation of Goguen 
and Meseguer's noninterference. The unwinding proof technique for quantum nonin- 
terference is developed, and a certain compositionality of security for quantum systems 
is established. The proposed formalism is then used to prove security of access control 
in quantum systems. 



1 Introduction 

It is well-known that quantum cryptography has a great advantage over its classical coun- 
terpart that the security and ability to detect the presence of eavesdropping are provable, 
based on the principles of quantum mechanics. But it has been rarely noticed that quantum 
computing and communication systems also face a new security challenge that would not 
arise in classical systems: entanglement is indispensable in quantum computation and com- 
munication, but information leakage can be caused by an entanglement (or more precisely, 
a computational mechanism that can generate an entanglement, e.g. the CNOT gate; see 
Examples 13. 1 1 and 14 . lb . and thus the Trojan Horse may exploit an entanglement between 
itself and a user with sensitive information as a covert channel. 

Information-flow security policies are usually enforced to prevent improper information 
leakage in classical computing and communication system ll20l . A general framework for 
specifying and analysing information-flow security is the noninterference formalism first 
introduced by Goguen and Meseguer [7 1. The basic idea of noninterference Q is: 
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• "One group of agents, using a certain set of commands, is non- interfering with an- 
other group of agents if what the first group does with those commands has no effect 
on what the second group can see." 

Then information leakage from a group of agents to another group of agents is understood 
as interference of the first group with the second group, and security is defined as non- 
interference of the agents with sensitive information with those malicious agents. In the 
original formulation [7 1 of noninterference, its system model is a deterministic automaton. 
This model has been generalised to a nondeterministic automaton by Sutherland 11211 and 
McCullough [14J and further to a probabilistic automaton by Grag (9) . 

This paper aims at extending further the noninterference formalism so that it can be 
used to reason about information-flow security of quantum systems. A quantum system is 
in a sense a probabilistic system, but the theory of probabilistic noninterference [j9] cannot 
be directly applied to it due to the following two reasons: 

1 . In a quantum system a probability distribution of outputs only appears after a certain 
measurement. Any observation about a classical or probabilistic system by an agent 
does not disturb the state of the observed system and thus has no interference with 
other agents. However, a basic postulate of quantum mechanics stipulates that the 
only way for acquiring information about a quantum system is quantum measure- 
ment, which will alter the state of the observed system. Thus, interference between 
different agents will be introduced during observation on quantum systems. 

2. The computational steps of a quantum system are governed by unitary operators or 
more generally super-operators, which are essentially different from stochastic matri- 
ces that are commonly used to model the dynamics of probabilistic systems. In other 
words, the mathematical description of commands executed by an agent in a classical 
or probabilistic systems is different from that in a quantum system. 

To appropriately incorporate quantum features into the noninterference formalism, we de- 
fine a system model in terms of quantum automata |[T5l . 

Di Pierro, Hankin and Wiklicky [2] observed that absolute noninterference can hardly 
ever be achieved in real systems, and thus they proposed a novel notion of approximate 
noninterference based on a quantitative measure of process behaviour equivalence. The 
non-appropriateness of absolute noninterference is even truer in the quantum case because 
quantum gates form a continuum and noise in their physical implementation is unavoidable. 
So, we define a quantitative version of noninterference (or approximate noninterference) for 
quantum systems, following Di Pierro, Hankin and Wiklicky J2j. (A notion of approximate 
behaviour equivalence was also adopted by the authors in their work on both classical and 
quantum process algebras ||26], ||24], I^HI.) 

The main technical contribution of this paper are: 

• Unwinding proof technique: It is often hard to establish noninterference security be- 
cause noninterference is defined as a property over sequences of commands of arbi- 
trary length. A unwinding technique was proposed by Goguen and Meseguer JH, 
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which can prove noninterference by checking only certain single-step conditions. 
This technique was generalised by Rushby |[T9l and van der Meyden E21 to the case 
of intransitive noninterference. We further generalise this technique and provide a 
method for estimating the upper bound of insecurity degree of quantum system. 

• Compositionality of security: A research line on compositionality of security was 
initiated by McCullough lfl4l and recently systemised by Mantel [13], showing that 
secure components with appropriate interface can be hooked up to form a secure 
system. As a quantum generalisation of their compositionality theorems, we prove 
that the insecurity degree of a composed quantum system does not exceed the sum of 
the insecurity degrees of their components provided no entanglement exists between 
those components. 

As an application of the proposed formalism, we consider access control of quantum 
data. The operating systems of all modern computers include certain form of access control 
to protect confidential data. Access control of quantum data will certainly be an important 
issue in the design of an operating system for future quantum computers. The simplest 
access control policy is usually defined in terms of access control matrix, which specifies 
the access rights of agents to individual storage locations. A quantum access control matrix 
is much more complicated than its classical counterpart due to a subtle difference between 
classical and quantum information: 

• "1 + 1 < 2": Access to the quantum information stored in a composite AB system is 
not granted by access to the information stored in subsystem A and access to that in 
subsystem B (see Example 16. lb . 

More precisely, a quantum access control matrix has to specify the access rights of agents 
not only to individual storage locations but also to different combinations of individual lo- 
cations. Rushby lfl9l showed by the unwinding technique that security of access control 
can be properly interpreted in the noninterference formalism with the Reference Monitor 
Assumptions. As a quantum generalisation of Rushby's result [19], we show that the inse- 
curity degree of quantum access control is bounded by a linear function of the degree that 
the Reference Monitor Assumptions are satisfied. 

The paper is organised as follows. Since the majority of Computer Security Foundations 
community may have no background in quantum computation, we briefly review its basics 
including the mathematical formalism of the state space and dynamics of a quantum system 
and quantum measurement in Sec. [2 for more details we refer to iPToll . Another purpose of 
Sec. [2]is to fix notations used in the later sections. The automata model of quantum systems 
and a noninterference measure in such a model are introduced in Sec. [3] In Sec. [4j we 
define the core notion - security degree of quantum systems - in terms of the noninterference 
measure, and the unwinding technique for proving security is generalised to the quantum 
setting. A compositionality theorem for quantum security is established in Sec. [5] The 
security properties of access control of quantum data are examined in Sec. [6] A brief 
conclusion is drawn in Sec. [7J including several problems for further research. For the 
readability, we postpone all the proofs of theorems to the Appendix. 
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2 Basics of Quantum Theory 



2.1 Hilbert Spaces 

According to a basic postulate of quantum mechanics, the state space of a quantum system 
is represented by a Hilbert space. In this paper, we only consider finite-dimensional Hilbert 
spaces, which are indeed complex vector spaces with inner product. We assume the reader 
is familiar with the notion of vector space in Linear Algebra. An inner product over a vector 
space % is a mapping (-|-) : % x % — > C satisfying the following properties: 

1- {<p\<p) > with equality if and only if \ip) = 0; 

2. = <V^}*;and 

3. (</?|AiV>i + A 2 V>2> = Ai(<£>|V>i) + A 2 (<£>|V'2) 

for any \ip), \ip), \4>i), \tp2) G % and for any Ai, A 2 G C, where C is the field of complex 
numbers, and * stands for the conjugate of complex numbers. A vector \tp) is called a 
unit vector if = 1. A pure state of a quantum system is described by a unit vector 

in its state space. Two vectors \ip) and \ip) are said to be orthogonal, written \ip}±\^} if 
(<p\ip) = 0. A family {^i)}™!^ °f un ^ vectors i s called an orthonormal basis of % if 

1. |^i)-L|V>j) for any j; and 

2- |^) = E7=o(^M) ^ all |^) G U. 

In this case, T-L is said to be n— dimensional, each element \tp) of % can be represented by a 
column vector \tp) = (ao, a ra _i) T , where = for < z < n, and T stands for 

transpose. 

Example 2.1 Quantum bit, or qubit for short, is the quantum counterpart of the bit in 
classical computation. The state space of qubits is the 2— dimensional Hilbert space 

U 2 = {a\0)+p\l) : a,p G C}. 

The inner product of \ip) = a\0) + /3\1) and \ip) = a'\0) + /3'\1) is 

{fP\(p) = a*a' + (3* /3'. 

The vectors 

i»>-(J)-i«-(!) 

form an orthonormal basis ofH.2, called its computational basis. A qubit can be in the basis 
states |0) and |1) as well as their superpositions 

a|0> + /3|l> = (°) 
4 



where \a\ 2 + \(3\ 2 = 1, such as 

l +) = -L ( |o ) + |i)) = -L(;), 
l-) = -L(|o>-|D) = ^(_ 1 1 ). 

■ 

The state space of a composite quantum system is defined to be the tensor product of 
the state spaces of its subsystems. Let Hi be a Hilbert space with {\tpij )} as an orthonormal 
basis for each 1 < i < n. Then the tensor product of Hi (1 < i < n) is the Hilbert space 
with {\^ij 1 ---^nj n )} as an orthonormal basis, i.e. 

n 

®Wi = { Yl a h-in\^lh-4nj n ) ■ 

»=1 h,-,jn 

a h-jn G c for aUji) -,Jn} 

where |V'ij 1 ...'0nj„) = I V'lji > --- l^nj„ > is the product of basis states (V'lji, IV'njn) of the 
subsystems. In particular, if Hi = % for all 1 < i < n, then ®" =1 Hi will be abbreviated 
to H® n . 

Example 2.2 T/ie state space of two-qubits is Hf 2 , and a two-qubit system can be in a 
separable state like 1 00) , and it can also be in an entangled state like the EPR pair 

|Ak)> = 4(|00> + |11>). 



2.2 Density Operators 

We also assume the reader is familiar with the notion of linear operator. If {li)}™^ 1 is a 
(fixed) orthonormal basis of an n— dimensional Hilbert space H, then an operator A on it 
can be represented by n x n matrix A = (Aij) where the entries A^ is defined by 

n-l 

A\i) = Y J A ji \j) 

3=0 

for every < i < n. An operator A on H is said to be positive if (Y>|^4|Y') > for all states 
|^) G H. The trace of an operator A is defined to be 

tr(A) = ^2(i/>i\A\i/>i), 
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where is an orthonormal basis of 7~L. If the operator is represented by an n x n 

matrix A = (Aij), then its trace is the sum of the entries on the diagonal of A, i.e. tr(A) = 
Yli=i ^ii- A mixed state of a quantum system can be described as a density operator when 
it is not completely known. Let {|Y>i)} be a family of states in U. If a system is in state 
with probability pi for each i, and ^ pi = 1, then the state of the system is represented by 

i 

where is an operator defined as follows: (i/ji\)\ip) = (ipi\ip)\ipi) for each 

\<p) G %. We say that p is a mixed state generated by the ensemble {(pi,\4>i))} of pure 
states. A density operator p on a Hilbert space % is defined to be a positive operator with 
tr(p) = 1. An operator is a density operator if and only if it can be generated by an 
ensemble of pure states. In particular, we identify a pure state with the density operator 

Example 2.3 The mixed state of a qubit generated by ensemble {(|, |0)), |1)} is repre- 
sented by density operator 

p = ||o>(o| + I|-)<-| = |( ^ - 1 ) u) 



2.3 Unitary Operators 

For an operator A on %, if another operator A* satisfies (\ip), A\ip}) = (A^\(p), for all 
\<p), then A^ is called the adjoint of A, where (|x)> 10) stands for the inner produce 
(x|0- ^ n operator U is called a unitary operator if WU = 1%, where and in the sequel 
I-U stands for the identity operator on %. The basic postulate of quantum mechanics about 
evolution of systems may be stated as follows: Suppose that the states of a closed quantum 
system at times to an d t are \i/;q) and \ip), respectively. Then they are related to each other 
by a unitary operator U which depends only on the times to and t: 

m = uwo). 

This postulate can be reformulated in the language of density operators as follows. The 
state p of a closed quantum system at time t is related to its state po at time to by a unitary 
operator U which depends only on the times t and to: 

p = UpoUl 

A unitary transformation of a state in a finite-dimensional Hilbert space can be calculated 
by matrix multiplication. 
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Example 2.4 An example of unitary operator on one qubit is the rotation about x—axis of 
the Bloch sphere (see H16\l , page 19): 



R x {6) 



cos 2 sin g 

-i sin | cos | 



where < 6 < 2tt. It transforms the basis state |0) into a superposition of\0) and \1): 
R x (9)\0) = 



cos 2 —i sin | \ / 1 



-i sin 2 cos | / \ 

C ° S U=cos%>-*sinV 
-» sin | J T 1 T 1 

The controlled-NOT is a unitary operator on two qubits: 

CNOT=( I I 

where 1, are 2x2 unit and zero matrices, respectively, and 

1 



V '10 

is the NOT gate. The CNOT gate can produce entanglement: 

CNOT(\ + 0» = |Ax)>, 
meaning that separable state \ +0) = |+)|0) is transformed to EPR pair |/3qo) 



2.4 Super-Operators 

A quantum computing or communication system is often not a closed system because it 
may suffer from unwanted interactions from the environment. The dynamics of an open 
quantum system cannot be described by a unitary operator, and one of its mathematical 
formalisms is the notion of super-operator. A super-operator on a Hilbert space % is a 
linear operator £ from the space of linear operators on % into itself which satisfies the 
following two conditions: 

1. tr[£{p)\ < 1 for each density operator p; 

2. Complete positivity : for any extra Hilbert space T-Lr, (Zr <8>£ ) (A) is positive provided 
A is a positive operator on T-Lr (g> Ti, where Zr is the identity operation on 7-Lr. 

If condition 1) is strengthened to tr[£(p)] = 1 for all density operators p, then £ is said to 
be trace-preserving. In this paper, we only consider trace-preserving super-operators. For 
any unitary operator U, if we define £(p) = U pW for all p, then U can be seen as a special 
super-operator £. 
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Example 2.5 The bit flip channel is widely used in quantum communication. This channel 
flips the state of a qubit from |0) to |1) and vice versa, with probability 1 — p, < p < 1. 
It is described by the super-operator £ on the 2— dimensional Hilbert space H 2 , defined as 
follows: 

£{p) = E oP E + ExpEx 

for all density operator p, where Eq = y/pl, E\ = y/\ — pX, and I, X are the 2x2 
unit matrix and the NOT gate, respectively. For example, if p is given by Eq. 0, then it is 
transformed by £ to another density operator 

( I + 2E _l \ 

£{P)=[ 6 _i 3 5_|p 

V 6 6 3 • / 



2.5 Quantum Measurements 

To acquire information about a quantum system, a measurement must be performed on it. 
In quantum computing, measurement is usually used to read out a computational result. A 
quantum measurement on a system with state space % is described by a collection {M\\ of 
operators satisfying 

Y,m{m x = i h , 

A 

where M\ are called measurement operators, and the indices A stand for the measurement 
outcomes. If the state of a quantum system is \ip) immediately before the measurement, 
then the probability that result A occurs is 

p(A) = ^\M{M x \il>) 

and the state of the system after the measurement is 

M x \iP) 



We can also formulate the quantum measurement postulate in the language of density op- 
erators. If the state of a quantum system was p immediately before measurement {M\} is 
performed on it, then the probability that result A occur is 

p(A) = tr{M{M x p), 

and the state of the system after the measurement is 

M xP M{ 
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Example 2.6 The measurement on a qubit in the computational basis {|0), |1)} is M = 
{M , Mi}, where 

M = |0)(0| = (J °),M 1 = |l><l| = (o \ ) 

If we perform M on a qubit in (mixed) state p given in Eq. (0, then the probability that we 
get outcome is 

p(0) = tr(M p) = tr 

and the probability of outcome 1 is = In the case that the outcome is 0, the qubit 
will be in state |0) after the measurement, and in the case that the outcome is 1, it will be in 
state |1). ■ 



I 0\ = 5 
V J 6 



2.6 POVM Measurements 

In defining noninterference, agents observe the system only at the end, and thus the post- 
measurement state of the system is of little interest. The Positive-Operator Valued Mea- 
sure (POVM for short) formalism is especially suited to the analysis of noninterference. A 
POVM measurement on Hilbert space H consists of a family of positive operators {E\) 
such that 

x 

If it is performed on a system in pure state \ip), then the probability of outcome A is 

P (A) = (VI^aM; 

and if the system is in mixed state p before measurement, then the probability of outcome 
A is 

p(X) = tr(E x p). 

Each ordinary quantum measurement {M\} defined in Subsec. l231 can be seen as a special 
POVM measurement if we put E\ = M]M\ for all A. 

Example 2.7 Let 

and £3 = I — Ei — E2, where I is the identity operator on the 2— dimensional Hilbert 
space. Then {E±, E2, E3} is a POVM measurement. If we perform it on a qubit in the state 
p given in Eq. (0, then the probabilities of outcomes I, 2 and 3 are, respectively, 

y/2 V2 2 + V2 

= wwfy p{2) = WTTTy p{3) = 2(1+71)' 
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3 Noninterference in Quantum Systems 
3.1 An Automata Model of Quantum Systems 

Following Goguen and Meseguer's original formulation [7 1, the system models used in the 
studies of noninterference have been mainly automata. A probabilistic automata model was 
employed by Gray [9] in his work on probabilistic (non)interference. Here, we introduce an 
automata model for quantum systems. 

Definition 3.1 A quantum system is a 6— tuple 

§= (H, po, A, C, do, measure), 

where: 

1. His a Hilbert space, and it is the state space of the system; 

2. po is a density operator in "H, and it is the initial state; 

3. A is a set of agents; 

4. C is a set of commands; 

5. do = {£ atC \a G A and c G C}, and for each a E A and for each c G C, E a ^ c 
is a super-operator on %, specifying how states are updated by agent a executing 
command c; 

6. measure = {M a \a G A}, and for each a £ A, M a is a set ofPOVM measurements 
on %, and intuitively, M a consists of all POVM measurements that agent a is allowed 
to perform. 

The above automata model is defined in a way much more general than that in the 
majority of quantum automata literature, for example [15"], where only pure states, unitary 
operators and ordinary (even projective) quantum measurements are considered. Here, we 
work with the language of density operators (mixed states), super-operators are employed to 
specify the executions of commands, and POVM measurements are used to describe agents' 
observation. The major motivation for such a general model is that density operators, super- 
operators and POVM measurements are commonly adopted in quantum information theory, 
see for example |[T6l . Chapter 12. We hope that our results presented in this paper can 
be smoothly incorporated with quantum information theory to analyse security of quantum 
computing and communication systems. 

Several essential differences between classical and quantum systems deserve careful 
explanations. First, the state space of a classical automaton is usually assumed to be discrete 
and even finite. In this paper, we only consider finite-dimensional quantum automata. But 
even so, their state Hilbert spaces are a continuum and thus deem-to-be infinite. Second, 
in the system models of both classical and probabilistic noninterference, the outcomes of 
agents' observations are deterministic. However, an observation on a quantum system is 
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always done through a quantum measurement which in principle cannot give a deterministic 
outcome but only a probability distribution of possible outcomes. In addition, an agent may 
be allowed to observe the system with different measurements which will give different 
distributions of outcomes. 

Before going ahead, we need to fix some notations. We write S* for the set of all finite 
sequences of elements in S. For any a = a\ct2 ■ ■ ■ a n G (Ax C)*, the length of a is 
\a\ = n. We write a(i] for the head aiQ2 ■ ■ ■ Q-i of a for every i < n. Also, we write 

£ a = £a n O ■ • • O £ a2 ° Sai 

for the composition of £ ai , £ a2 , • • • , £ a „ , that is, 

£ a (p) =£ an (---(£ a2 (£ ai (p)))---) 
for every density operator p'm%. 

3.2 Measurement Distance between Density Operators 

Noninterference is defined through a group of agents' nondiscrimination between the final 
states of the system with and without another group of agents' actions. In the quantum case, 
observation outcomes are always represented by the probability distributions determined by 
the involved measurements. So, we first need a distance to measure the difference between 
two distributions. Let X be a finite or countably infinite set. A probability distribution over 
X is a mapping p : X — > [0, 1] such that J2 x gxP( x ) = 1- ^ or eacn event E C X, the 
probability of E is given by 

p(£7) = 2>(s). 

For any two probability distributions p and q over X, their distance is defined to be 

d(p,q) = 2 H ~ SWI' 

xex 

It is easy to see that 

d(p,q) = max\p(E)-q(E)\. (2) 

ECX 

This equality indicates that the distance does not depends on the cardinality of the sample 
space X. 

The above distance between probability distributions can be naturally generalised to 
a pseudo distance between density operators through quantum measurements. Let E = 
{E\\ A 6 A} be a POVM measurement on %. Then for any density operator p in %, we can 
define a probability distribution pe(p) = Pe(p, ) over tne measurement outcomes A by 

Pe{p,X) = tr(Exp) 

for every A £ A. 

Now we consider a family M of POVM measurements. 
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Definition 3.2 The pseudo distance defined by M is given by 

du{p,°) = sup d(p E (p),p E (a)) 

for all density operators p and a. 

Intuitively, c?m(p, cr) measures the difference between p and a that can be detected by 
POVM measurements in M. 

A distance between density operators widely used in quantum information theory is 
trace distance. Recall from [ 16], Sec. 9.2 that for any density operators p and a, their trace 
distance is defined by 

d(p,<r) = -tr\p-a\, 

where \A\ = V A^A is the positive square root of A^A for linear operator A. The following 
theorem establishes a connection between trace distance and distance defined by measure- 
ments. 



Theorem 3.1 (SM, Theorem 9.1) 

d(p,<r) = sup d(p E (p),PE{cr)), (3) 

E 

where the supremum is over all POVM measurements. In other words, if we take M to be 
the set of all POVM measurements, then d(p, a) = du.(p, B 



3.3 (Non)interference Degree 

To present the definition of (non)interference degree, we need several more notations. If 
G C Ais a group of agents, D C C is a set of commands, and a = a\a.2 ■ ■ ■ oc n G (Ax C)* , 
then following the literature |[T9l l22l on classical noninterference, we write purge G D (a) 
for the subsequence of a obtained by deleting those a, = (aj, Cj) with a, G G and a G D; 
that is, 

P ur g e GX>(«) = ot' 1 a' 2 ...a' n , 

where 




e if cti = (a, c) with a £ G and c G D, 
aj otherwise. 



We will simply write purge G (-) for purge G c (-). For each agent a G A, we write d a = 
dM a for the pseudo distance defined by the set M a of POVM measurements. 

Definition 3.3 Let G\,G2 Q A be two groups of agents, and let D C C be a set of com- 
mands. Then the degree that agents G\ with commands D interfere agents G2 is 

Int{Gi,D\G 2 ) = SUp{d a («? a (po),«?purge GlD (Q)(Po)) ^ 

\a G (A x C)* , a G G 2 }. 
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Intuitively, the larger is Int(G\, D\G 2 ), the more agents G\ with commands D interfere 
with agents G 2 . In particular, if G\ with D does not interfere with G2, that is, 

£a(po) = £purge Gl >D (a)(Po) (5) 

for all a G (AxC)* and for all a G G 2 , then /nt(Gi, D|G 2 ) = 0. Conversely, Z>|G 2 ) = 

does not necessarily imply Eq. © because d a may not be a distance but only a pseudo 
distance. In this case, the difference between £ a (po) an d £ pU rge G D («)(Po) cannot be de- 
tected by agents in G2 using the quantum measurements allowed for them. We will simply 
write Int{G x \G 2 ) for Int{G u C\G 2 ). If Int(G u D\G 2 ) = 0, then we write G X ,D : \G 2 . 
Furthermore, we will simply write G\ : \G 2 for G\, C : \G 2 . 

The following proposition considers a special case where agents have the full capacity 
of measurements, and it follows immediately from Theorem 13. II 

Proposition 3.1 If each agent a £ G 2 can perform any POVM measurement; that is, M a is 
the set of all POVM measurements on %, then 

Int(Gi,D\G 2 ) = sup{d(£ a (p ), £ purg e Gi D ( a )(po)) 

\a G (A x C)*}. 

m 

To illustrate the notion defined above, we give a simple example. 

Example 3.1 We consider a system with two qubits. So its state space is Hf 2 , where H 2 
is the 2— dimensional Hilbert space (see Example \2.1\) . There are two agents Alice and 
Bob: A = {Alice, Bob}. They are allowed to perform the measurement in the compu- 
tational basis ( see Example 12.61 ) on the first and second qubits, respectively: M Alice = 
{Mi} ,M.Bob = {M2}, where Mi stands for the computational basis measurement on the 
ith qubitfor i = 1,2. The initial state is assumed to be = 1 00). 

1. Isolated Alice and Bob: If there is only one command R x (6): C = {R x (6)}, and 
when Alice (resp. Bob) execute R x (9), she (resp. he) rotate the first (resp. second) 
qubit by an angle 9 about the x—axis of the Bloch sphere (see Example \2.4\ , then the 
following claim is obvious: 

• Claim: Alice : \Bob and Bob : \ Alice; that is, Alice does not interfere with 
Bob, and vice versa. 

2. Adding one-way CNOT: Now we add the CNOT gate (see Example \2.4\) into the com- 
mand set and put C = {R x (8), CNOT}. Suppose that when both Alice and Bob ex- 
ecutes the command CNOT, the controlled-NOT transformation is performed with 
the first qubit as the control qubit and the second as the target qubit. Then we have: 

• Claim I: Bob, R x {6) : \Alice; that is, 

Int(Bob,R x (6)\Alice) = 0, 
Bob with rotation about x—axis does not interfere with Alice. 
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• Claim 2: If 9 ^ 0, tt, then 



Int(Bob,CNOT\ Alice) > 0; 

that is, Bob with controlled-NOT interferes with Alice. 

• Claim 3: If 9 > 0, then 

Int(Alice,R x (9)\Bob) > 0, 
Int(Alice,CNOT\Bob) > 0; 

that is, Alice with either rotation about x—axis or controlled-NOT interferes 
with Bob. 

To prove Claim 1, we notice that each a G (A x C)* is a sequence of the following 
actions: 

• B\: Alice execute R x (9) on the first qubit; 

• B<i'- Bob executes R x (9) on the second qubit; 

• B%: Alice or Bob executes CNOT with the first qubit as the control qubit and 
the second as the target qubit. 

It is obvious that B\ and B<i commute: B\B2 = B<iB\. Also, it follows from 
Eq. (4.39) in [16] that B2 and B3 commute. Suppose that Bob executes R x {9) in 
a for n times. Then we can move all R x (9) executed by Bob to the end of a and 
obtain 

a' = vurge(a)(Bob,R x (9)) n , 

where purge(a) = purge Bob (a) is obtained by deleting all R x (9) executed by 
Bob from a. We write \ip'), \<f) for the states after the system performs a, a', 
and purge (a), respectively. Then \ip) can be written in the following form: \tp) = 
\0)\(fo) + |l)|</?i), and it holds that 

\ij>) = W) = \Q)R x (n9)\ip ) + \\)R x (n9)\ Vl ). 

Finally, Alice measures the first qubit of \ip) and \ip) in the computational basis, she 
gets the same probability distribution: 

p(iP,0) = \\R x (n9)\w)\\ = \\\(po)\\=p(<P,0), 
p(^,l) = 11^(^)1^)11 = 111^)11=^,1). 

Now we consider action sequence a = (Alice, R x (9)) (Alice, CNOT) (B ob, CNOT) (Alice, R x (9)). 
The state of the system after a is executed is \<p) = (cos 9 \ 0) — i sin 9 1 1)) 1 0) , and the 
state after purge Sob cNOr( a ) iJ executed is 

m =|0)[cos 2 (|)|0) -sin 2 (|)|l)] 

-zsin|cos||l)(|0) + |1)). 
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If Alice measures the first qubit of \ip) and \ip) in the computational basis, then the 
probability distributions of outcomes are 

p(0) = C os 2 9, p(l) = sm 2 6, 

q(0) = COS \ 9 -)+sm\ d -), q(l) = 2 sin 2 (^) cos 2 (^), 

respectively. This implies Claim 2. 

To prove Claim 3, consider action sequence a = (Alice, R x (6)) (Alice, CNOT). 
The state becomes 

6 9 
|^) = cos-|00) -« sin- 1 11) 

after executing a, and it does not change after executing purge Alice R ^^(a) = 
(Alice, CNOT). If Bob measure the second qubit of \ip) and \ipo) in the compu- 
tational basis, then the probability distributions are 

p(0)=cos 2 ( 9 -), p(l)= S m\ 6 -), 
Po(0) = 1, po(l) = 0, 

respectively. So, 

Int(Alice, R x (6)\Bob) > d(p, Po ) = sin 2 (-) > 0. 

Similarly, we can prove Int(Alice,C N OT\Bob) > 0. 

3. Adding two-way CNOT: Finally, we reverse the direction of the CNOT executed by 
Bob: Suppose that when Bob executes the command CNOT, the second qubit is used 
as the control qubit and the first qubit is the target. The direction executed by Alice is 
unchanged. Then we have: 

• Claim: If6>0, then 

Int(Bob,R x (0)\Alice) > 0, 
Int(Bob,CNOT\ Alice) > 0, 
Int(Alice, R x (9)\Bob) > 0, 
Int(Alice,CNOT)\Bob) > 0; 

that is, Alice always interferes with Bob, and vice versa. 

The proof of this claim is similar to that of the above Claims 2 and 3. ■ 

The above example indicates that the CNOT gate may cause information leaking in 
quantum computing. The reason is that certain entanglement between Alice and Bob is 
created by the CNOT gate. 
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4 Security Policies 



Information-flow security policies specify how can information flows from one agent to 
another. We first recall the formal definition of security policy from the literature ||T9] 1221 
on classical information-flow security. 

Definition 4.1 A policy is a reflexive relation between agents: C A x A. 

Intuitively, a ~^ b means that actions of agent a are permitted to interfere with agent b 
or information is permitted to flow from agent a to agent b. 

Since security policies about a system are only relevant to the rights of agents but not 
the physical operations in the system such as evolution and observation, it is reasonable 
to adopt the same definition of policy for classical and quantum systems. Now we can 
define the notion of security for quantum systems with respect to a given policy based on 
noninterference. To do so, we need an additional notation. For any agent a G A, we write 
Va = {b G A\b /» a} for the set of agents from who information cannot flow to agent a. 

4.1 Unbounded-Time Security 

Definition 4.2 The security degree of system 8 with respect to policy is 

K(S, ~») = sup Int(\7a\a). (6) 

Intuitively, Int(Va\a) is the degree that the agents, from whom the policy specifies 
that information cannot flow to agent a, interfere with a. K(S, ~~*) takes the supremum 
of Int(Va\a) over all agents a G A, and thus measures the global degree that an agent 
interfere with another agent although information flow from the former to the latter is not 
allowed by the policy Therefore, K(S,-**) can be understood as the degree that system 
§ is insecure with respect to policy The smaller the value of K (§, ~~*) is, the securer the 
system § is. In particular, if K (S, = 0, then we say that S is secure with respect to ~~>. 

Example 4.1 We extend Example \3. 1 1 by adding a new agent Charles, so the agent set is 
A = {Alice, Bob, Charles}. Consider the security policy ~» defined by Alice ~» Bob 
Charles. The system is expanded to include the third qubit, and the state space is then 
T-L® 3 . The initial state is 1 000). Alice, Bob and Charles can perform the measurement in the 
computational basis on the first, second and third qubit, respectively. 

1. Let the command set is C = {R x (9)}. The executions of R x (0) by Alice and Bob are 
the same as in Example \3.1\ and Charles executes R X (Q) on the third qubit. It follows 
immediately from Example \3.1\ l) that K(S, ~^>) = 0; that is, S is secure with respect 
to 

2. Let the command set C = {R x (9),CNOT}. When Alice executes CNOT, the 
controlled-!^ OT transformation is performed with the first qubit as the control qubit 
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and the second as the target, and when Bob executes CNOT, the controlled-NOT 
is performed with the second qubit as the control qubit and the third as the target. 
Charles is not allowed to execute CNOT, or equivalently, when Charles executes 
CNOT, nothing happens. Then it follows from Example \3.1\ 2) that 

K(S,-wi) > Int(Bob,Charles)\Alice) 
> Int{Bob\ Alice) > Int(Bob,CNOT\Alice) > 0, 

and the system § is not secure with respect to policy ~» when ^ 0, it. ■ 

Unwinding is a powerful proof technique for noninterference security of classical sys- 
tems. We can extend the unwinding technique to quantum systems so that it can be used 
to estimate a upper bound of K(E>, ~»). A density operator in % is said to be reachable in 
system § if there exists action sequence a G (A x C)* such that p = £ a (po)- Then the first 
version of unwinding theorem can be stated as follows. 

Theorem 4.1 (Unwinding I) If for each agent a G A, there exists an equivalence relation 
~ on reachable density operators satisfying the following conditions: 

• Step consistency: p ~ a => £b,c(p) ~ £b,c{&)for all b € A and c G C; 

• Local respect of ~^: b -/^ a =>• p ~ £b,c{p)f° r all c £ C, 
then we have: 

K(S,~^>) < sup{d a (p, a)\p and a are 

( 7 ) 

reachable, p ~ a, and a £ A}. 

m 

Eq. © gives a upper bound of the insecurity degree K(S, under the conditions of 
Step consistency and Local respect of The reader who is familiar with the classical 
unwinding technique may wonder that Observation consistence seems missing. Indeed, it 
is incoiporated into the right-hand side of Eq. ©. In particular, if the equivalence relations 
~, a G A satisfy the above conditions of Step consistency, Local respect of w and 

• Observation consistency: p ~ a =>• d a (p,a) = 0; that is, pe(p) = Pe{o~) for all 
POVM measurements E in M a , 

then S is secure with respect to -w. 

It is known that unwinding proof technique is complete for classical noninterference 
security |[T9ll22l . The next theorem shows that the unwinding proof technique presented in 
Theorem [4j]is complete for absolute security of quantum systems. 

Theorem 4.2 (Partial Completeness of Unwinding I)IfS is secure with respect to then 
there exists a family ~, a G A of equivalence relations on reachable density operators 
satisfying Step consistency, Observation consistency and Local respect of -w. ■ 
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4.2 Bounded-Time Security 



Note that the length of action sequence a in Eq. (0]) can be arbitrary. Thus, in the definition 
equation © of insecurity degree K(S, the time used by malicious agents to detect sen- 
sitive information is unlimited. We now consider a bounded-time variant of Definition 14.21 

Definition 4.3 Let t be a nonnegative real number. Then the degree that system §> is 
t— bounded insecure with respect to policy ~^ is 

K t (S, = SUp{d a (£ a (p ),£purge Va (a)(Po) 

|a 6 (A x C)*, \a\ <t,a<E A}. 

Intuitively, K t (§, ~») measure the (in)security degree of system S with respect to policy 
~» under the assumption that the running time of the system does not exceeds t. It is obvious 
that K t (S, -w) < Kf(S, ~~*) if i < t' . If particular, if K t (S, -w) = 0, then we say that § is 
secure with respect to ~^ within time t. 

We have a unwinding proof technique for bounded-time security too. 

Theorem 4.3 (Unwinding II) Let e s ,e Q , ei be nonnegative real numbers. If for each agent 
a £ A, there exists a pseudo-distance 5 a between reachable density operators satisfying the 
following conditions: 

• Approximate step consistency: 

8 a (£b,c(p)'£b,c( a )) - S a (p,a) + e s 
for allb G A and c £ C, and for all p, a; 

• Approximate observation consistency: 

d a (p,cr) < d a (p,a) + e a 

for all p, a; 

• Approximate local respect of*"*: if b a, then it holds that 

$a{p,£b,c(P)) ^ e l 

for all c £ C, and for all p, a, 
then we have: 

K t (S,-w)<e + t-max{e s ,q}. (8) 



A upper bound of insecurity degree K t (S, ~») is given by Eq. ([8]). The next theo- 
rem derives a lower bound of insecurity degree K (§, ~») through bounded-time security 
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Theorem 4.4 (Weak Completeness of Unwinding II) There exists a family 5 a ,a G A of 
pseudo-distance on reachable density operators satisfying the following conditions: 

• Step consistency: 

for all b G A and c G C, and for all p, a; 

• Observation consistency: 

d a (p,cr) < S a (p,a) 

for all p, a; 

• Bounded local respect of -w; 

limits, ~») = K(S,~*) 

> -swp{5 a (p,£b,c(p)\b /» a,c G C ( 9 ) 
and p is reachable}. 

■ 

The lower bound of insecurity degree K(S, ~») in Eq. Q can be seen as a weak com- 
pleteness of the unwinding technique presented in Theorem 14.31 In particular, if S is se- 
cure with respect to that is, K = 0, then there exists a family 5 a , a G A of 
pseudo-distances on reachable density operators satisfying the above Step and Observation 
consistency and the following: 

• Local respect of ~-K b a 5 a {p, £b, c {p)) = for all c G A and for all p. 
4.3 Strong Security 

Different from classical systems, the state of a quantum system is often not completely 
known and thus the system is in a mixed state defined by a statistical ensemble. Some 
stronger security degrees will be useful when we consider mixtures of initial states. Let p 
be a density operator, {p^} a probability distribution, and pi a density operator for every i. 
If p = YliPiPii th en P i s called a mixture of ensemble {(pi,Pi)} of density operators. 

Before presenting the definition of strong security degree, we have to introduce a nota- 
tion. Let S = (H, po, A, C, do, messure), and let p' be a density operator. We write S[p' ] 
for the new system obtained by replacing the initial state po in S by another initial state p' ; 
that is, 

S[p ] = {H, p'o, A, C, do, messure). 
Definition 4.4 I. The strong security degree of system S with respect to ~^ is 

SK(S, = S up{^2 Pl K(§[ Pi ], ~0 : 

(10) 

po is a mixture of ensemble {(pi, Pi)}}- 
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2. Let the a positive real number. Then the strong t- bounded security degree SKf (§, ~^ 
) ofS with respect to ~» is defined by Eq. MOi with K substituted by Kt. 



5 Compositionality of Security 

The purpose of this section is to examine security of a system composed of a collection of 
subsystems. We consider two quantum systems 

§ = {H, po,A,C, do, measure) , 

S' = (H', p' Q , A', C, do', measure'). 

We can assume that C n C = without any loss of generality because the commands 
in C are executed on the component §, whereas the commands in C are executed on the 
different component However, it is allowed that A n A' = because the same agent may 
be granted to access both components § and S'. 

Definition 5.1 The composition ofS and §' is defined to be the quantum system 

S <8) §' = (n ® W, po <8> p' , A U A', C U C, Do, Measure), 

where 

1. Do = {T a>c \a E A U A' and c e C U C'}, 



£ a)C (g) %h> ii a £ A and c G C, 
X% (8) ii a£ A' and c G C", 

%H®W if a £ A\A' and c G C , 

or a£ A' \A and c G C; 



(ID 



2. Measure = {N a \a £ Au A'}, 



if a G ^4 \ j4', 
UM' a ifaGvln^', 
if a G ^ \ A 



(12) 



To simplify presentation, a little bit of notation abuse was allowed in the defining equa- 
tion of N a ; for example, if E G M a and a £ A, then E is a measurement on the whole 
system when it is considered in S, but it is a measurement on a subsystem S when it is 
considered in S ® 

We also consider the combination of two security policies. To this end, we need a 
notation. Let R C X x X be a binary relation on X, and let Y C X. Then we write R\Y 
for the restriction of R on Y; that is, R\Y = {(x,y) £ Y x Y : xRy}. 
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Definition 5.2 Let -** be a policy for agents A and a policy for agents A'. 

1. If-** \ A n A' =W \A n j4', f/ze« we say that ~» a«<i ~V are compatible. 

2. The union of -** a«<i itf f/je policy -** U o?i agents A U A/. 

Now we are ready to prove that security of quantum systems is compositional. 

Theorem 5.1 If-** and are compatible, then we have: 

1. K(S ® §', ^ U -w') < if (S, ~») + K(8', -**'); 

2. K t {8 <8 S', ~» U W) < K t (S, ~») + i^(S', W). ■ 

The above theorem shows that the insecurity degree of a composed system does not 
exceed the sum of the insecurity degrees of its component systems. In particular, if S and 
§' are secure with respect to -** and respectively (within time t), then S ® S' is secure 
with respect to —* U W (within time t). 

The composition of quantum systems in Definition 15.11 is indeed a direct product in 
which the component systems are entirely independent to each other except that some agent 
can access to different components. We can introduce a more general notion of composition 
where component quantum systems can be hooked up more tightly. To define it, we need 
several auxiliary notions. Recall from [16 | that the partial trace tr^i over %' is a mapping 
from density operators 10.%®%' to density operators in %. It is defined by 

frH'GviK^I ® (^2 1) = (^2 1^1)1^1) (^2 1 

for all \tpi), \ip2) € Hi and £ "H', and it is extended to all density operators in 

% ® %' by linearity. Let p be a density operator in % and a a density operator in % <S> %' ■ 
If try_i (a) = p, then a is called an extension of p in H ® Let £ be a super-operator on 
% and F a super-operator on % (8) We say that J 7 is a cylindrical extension of £ on in 

1. truiT{p % jjrlu 1 ) = £(p) f° r ai l density operators in 

2. truT^Iy. ® p') = p' for all density operators p' in 
where d = dim'H and a" = dim 

Definition 5.3 A generalised composition ofS> and S' £j defined to be a quantum system 
J = (U ® (j , iUi',CU C", TJo, Measure), 

vv/zere 

1. do £>o?/z aw extension of po arcd an extension of p' in % ® Ti'; 

2. Do = {J^^la G A U A' and c € C U C"} satisfies the following conditions: 
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• F a .c = ^H®H' tf a £ A \ A' and c £ C, or a £ A' \ A and c G C; 

• jj a cylindrical extension of ' £ a ,c if a- G ^4 and* c G C; 

• .F 0)C is a cylindrical extension of £' a c if a G A' and c G C; 

3. Measure is the same as in Definition I5.il 

Theorem 15.1 l ean be extended to a special class of generalised compositions of quantum 
systems. Recall from iTTTTl that a density operator a in H <g> %' is said to be separable if we 
can write: 

a = ^PiPi® p'i 

i 

where all pi are density operators in % and all p\ in pi > for all i, and YliPi = 1- A 
super-operator F on % ® %' is said to be separable if there are a family {F} of operators 
on % and a family {F/} of operators on %' such that 

F(a) = Y^(Fi ® Fl)a{F} ® F?) 

i 

for all density operators a on % ® If operators Fj commute, i.e. FiFj = FjFi for all 
i ^ j, and operators F/ commute, then F is said to be commutative. 

Theorem 5.2 If cmc? ~V are compatible, and T is a generalised composition of § and 
§' w/f/j a separable initial state cq and commutative and separable super-operators F a<c 
(a€ Al)A', ceCU C), then we have: 

1. K(T, ~» U ~»') < SK(S, ~») + SF(§', ~»'); 

2. *Q(T, ~* U W) < SK t (S, ~0 + SFft(§', ~»'). ■ 

6 Access Control 

As an application of the quantum noninterference formalism developed in the previous sec- 
tions, we now analyse security of access control to quantum information. To do so, we 
impose certain internal structure on the system under consideration by assuming that infor- 
mation is stored in different locations. 

Definition 6.1 We say that the system § has structured states if there exists a set N of 
location names, and for each location name n G N, there exists a Hilbert space H n such 
that 

H=®H n . 

In other words, the quantum system S is a composed system that consists of component 
systems labeled by locations n G N. 
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There is an essential difference between quantum and classical systems that makes un- 
derstanding access control in a quantum system harder than that in a classical system. In a 
classical system, access control is usually defined by a matrix consisting of two functions 
"read" and "alter", specifying whether a given agent may "read", "alter", respectively the 
information stored in given locations; for example, for each a G A, read(a) is defined to 
be a subset of location names N, and it is the set of locations whose values can be read by 
agent a. The reasonableness of defining read{a) as a subset of N comes from an implicit 
assumption: 

• "1 + 1 = 1": The ability to observe both the K subsystem (i.e. the subsystem 
consisting components labeled by n E K) and the L subsystem implies the ability to 
observe the combined K U L subsystem, where K, L C TV. 

Whenever this assumption is not valid, then read(a) must be defined as a subset of V(N) 
instead of a subset of N, where we use V(-) to denote power set; for example, suppose 
that N = {ni,ri2,ns}. If agent a is allowed to read both the values of location n\ and 
ri2 but not the value of combined location n\ri2, then read(a) = {{"4}, {^2}}; if agent 
a is allowed to read the values of location n\ and n-2 as well as n\n<i, then read(a) = 
{{ n i}' { n 2}, {n-i, ^2}}- Indeed, the above "1 + 1 = 1" assumption is violated in the 
quantum world, as indicated by the next example. For simplicity, for any K C N, we write 
trx for the partial trace tr^ eK u n over the K subsystem. 

Example 6.1 There are p,a G H = ®neiv ^ n suc ^ ^ iat 

1. tr N \ K (p) = tr N \ K (a) and tr N \ L (p) = tr N \ L (a); but 

2. tr N \( KuL )(p) / tr N \( KuL )(a). 

In this case, an agent who can read information stored in K and information stored in L 
but not information stored in K U L is unable to distinguish p from a. For instance, let 
N = {ni, ri2}, and let % ni = 7i n2 be the 2— dimensional Hilbert space %2- We put 

p = ||00><00| + ||11><11|, 

and a = |Ax))(A)o|> wnere IA)o) = ^75 (1 00) + |H)) is the EPR pair. Then 

tr ni (p) = tr ni (a) = ±(\0)(0\ + \l)(l\, 
tr n2 (p) =tr n2 (a) = ± (\0)(0\ + \l)(l\, 

but it is obvious that p 7^ a. ■ 
Similarly, in the quantum world we know: 

• The ability to change both the state of the K subsystem and the state of the L subsys- 
tem does not guarantee the ability to change the combined K U L subsystem. 
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Example 6.2 There are p G 1-Ln\k an d °~ £ T~^n\l such that 

1- t r N\(KDL)(p) = tr N\(KnL)(°)>' but 

2. there does not exist ant 7 G T~Ln\(kvjl) such that tr N \ K {~{) = p and tr N \ L {~f) = a. 
■ 

Another essential difference between quantum and classical information is that reading the 
quantum information stored in a certain location changes the information itself; but this dif- 
ference will not be considered in this paper because in the noninterference formalism read- 
ing (by quantum measurements) always happens at the end, and thus the post-measurement 
state of the system is irrelevant. 

By the above observation, we realise that both read(a) and alter(a) should be defined 
as elements of V{V(N)). They can be simplified a little bit by noticing that if an agent can 
read (resp. alter) the value of locations K then it can read (resp. alter) the value of any 
subset L of K. A family B G V{V(N)) of sets of location names is said to be below-closed 
if 

K G B and L C K L G B. 
We write V B {V{N)) for the set of all below-closed B G V{V{N)). 

Definition 6.2 An access control matrix consists of: 

1. a function read : A — > Vb('P(N)); and 

2. a function alter : A Vb{V{N)), 

For each agent a G A, if K G read(a), then the K subsystem can be observed by a; 
and if K G alter (a), then the state of the K subsystem can be changed by a. 
We now consider security of quantum access control with respect to a policy. 

Definition 6.3 An access control matrix {read, alter) satisfies security policy ~~> 

1. a b =^ read(a) C read(b); 

2. (3K G read(a),3L G alter (b) s.t. K n L ^ 0) =^ b ~> a. 

To present the quantum generalisation of Rushby's security theorem for access con- 
trol flip , we nee d to introduce a new pseudo-distance between density operators. For each 
agent a G A, we define distance 5 a by 

S a (p,o-)= sup d(tr N \ K (p),tr N \ K (a)) 

K(Lread(d) 

for all reachable density operators p, a in % = <S> ne ^'Hn- Intuitively, 5 a (p,a) measures 
the difference between p and a at the locations that agent a can observe. Note that in the 
defining equation of 5 a , the supremum is taken over the distances d in some subspaces of ri 
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of different dimensions. From Eqs. © and d3j we see that the distances d does not depends 
on the dimensions of these subspaces, so this defining equation is not problematic. 
Let e > and K C N. For any density operators p,a G Ti, if 

d(tr N \ K (p),tr N \ K (a)) > e, 

then we say that p and a are e— discriminable on K, and write Dis(p, a\e, K). Now we are 
ready to present the main result of this section, which gives a upper bound of bounded-time 
insecurity degree in terms of Reference Monitor Assumption and thus generalises Theorem 
2 of lfT9l to the quantum case. 

Theorem 6.1 If the access control matrix satisfies policy ~^ and the Reference Monitor 
Assumptions: for all a £ A, for all c £ C, for all p, a, and for all K C N, 

(RMl)d a (p,a) <5 a (p,a)+8; 

(RM2) 

Dis{p,£ a!C (p)\e,K)VDis(a,S a}C (a)\e,K) 

=> ^Dis(£ atC (p),£ a , c (a)\5 a (p,a),K); 

(RM3) 

Dis(p, £ 0)C (p)|e, K) 3L G alter(a) s.t. K n L ^ 0, 
then it holds that K t (S, ~>) < 8 + 2te. ■ 

7 Conclusion 

The noninterference formalism of information-flow security is generalised to the quantum 
case. We define three (in)security degrees K (S, ~>), Kt(S, ~>) and SK(§, ~») of a quantum 
system modelled by a quantum automaton S with respect to a security policy -w. The 
unwinding technique for proving noninterference security is extended so that it can be used 
to give a upper bound of the (in)security degrees of quantum systems. A compositionality 
theorem for security of quantum systems is established, showing that the (in)security degree 
of a composite system does not exceed the sum of the (in)security degrees of its components. 

For further research, one open question is to settle the computational complexity of the 
following problem: given a quantum system S, a security policy -w, and a rational constant 
c, decide whether K(§, ~») < c, K t (S, ~») < c, and SK (S, -») < c? 

Only transitive noninterference for quantum systems is considered in this paper. As 
argued in [ 10], [ 19], transitive policies are too restrictive for many realistic applications, and 
since then intransitive noninterference for classical systems has been intensively studied; see 
for example |[T8l . E2l . [23 1 . So, another topic for further research is to define intransitive 
noninterference for quantum systems. 

Noninterference was also defined by Focardi and Gorrieri [5 ] and Ryan and Schnei- 
der ifTTl in the framework of process algebras based on the notion of process equivalence. 
Several quantum processes have been defined in the last decade, including Jorrand and 
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Lalire's QPAlg 02), Gay and Nagarajan's CQP [6| and the authors' qCCS 0, 0. In 
particular, a bisimilarity preserved by parallel composition of quantum processes with en- 
tanglement was recently discovered by the authors @] and Davidson 12. A process 
equivalence-based quantum interference would be another interesting topic. 
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Appendix: Proofs of Main Results 

A. Proofs of Theorems in Section |4] 
A.l. Proof of Theorem |4J] 

By definition, we have: 

K(S,-**) = SUp{d a (£ a (p ),£purge Va (a)(po)) 

\a G (A x C)* and a G A}. 
So, it suffices to show that for each a G A and for each a G (i x C)*, 

~ £purge Va (a)(Po)- 

This can be easily done by induction on the length of a, and we omit the routine details. ■ 

A.2. Proof of Theorem |42] 

For each agent a G A, we define: 

p ~ a ^ d a (£ a (p),£ a (cr)) = for all a G (A x C)*. 

It is easy to see that ~, a G A satisfy Step and Observation consistency. To show that 
they locally respect ~~>, we assume that b /> a. Then for any reachable density operator 
p, we have p = £/3(po) for some action sequence (3 G (A x C)*. Furthermore, for any 
a G (v4 x C)* and for any c G C, it holds that 

P ur g e va(/3«) = Purge Va (/?(&, c)a!). 

Therefore, we have 

da(£ a (p),£a(£b,c(P))) = da(£/3a(Po),£f3(b,c)a(Po)) 

< d a (£/3a(po),£purge Va (/3a)(Po)) + 

da(£purge Va (/3 a ) (Po), £/3(6,c) (*>)) 
= d a (£f3a(Po),£purge Va {l3a)(Po)) + 

da(£ p urge Va (/3(b ! c)a){Po),£l3(b ! c)a(Po)) 

< 2 ■ K(S,«**) = 0. 

Consequently, it holds that p ~ ■ 
A.3. Proof of Theorem 1431 

By definition, we only need to prove that for every agent a£i and for all action sequence 
a £ (Ax C)* with \a\ < t, 

da(£ a (po),£ P u Igeva (a)(Po)) < e Q + t ■ max{e s ,ez}. 
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It follows from the approximate observation consistency that 

d a (£a(po), £purge Va (a)(Po)) 

< <5 a (£ a (po),£purge Va (a)(Po)) + ^o- 

Thus, it suffices to show that 

^a(£a(Po), Spurge Va (a) (Po)) < t ■ max{e s ,ej. 

We proceed by induction on the length \a\ of a. The basis case of |a| = is clear. Now 
assume that a = a'(b, c) and consider the following two cases: 
Case 1. b -w a. Then 

Purge Va (a) = purge Va (a / )(&, c), 
and by the induction hypothesis on a' we have: 

£a(£a'(A)),£purge Va (a')(Po)) < (t - 1) ■ max{e s ,ej} 

because \a'\ = \a\ — 1 < t — 1. Thus, by the approximate step consistency we obtain: 

5 (£a(po), £purge Va (a) (Po)) 

= (£b,c(£a (PO) ) ' £&,c (Spurge Va (a) (Po) ) ) 

< ^a(^a'(Po),^purge Va (a')(Po)) + £s 

< (i- 1) ■ max{e s ,e/} + e s 

< t • max{e s , e^}. 

Case 2. b a. Then 

P ur g e va(«) = P" r ge 7a (a / ), 
and the approximate local respect of -w and the induction hypothesis on a 1 yield 

5a (^a (po), Spurge Va (a) (PO ) ) 

= #a (£ b,c (PO ) ) , f purge Va (a') (PO ) ) 

< ^a(fb,c(fa'(Po)),fa'(Po))) 

+ 5a(fa(Po)),fpurge Va (a')(Po)) 

< e/ + (t - 1) • max{e s ,e/} 

< i • max{e s ,q}. 
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A. 4. Proof of Theorem l44l 

For each a£A, and for any reachable density operators p, a, we define: 

5 a (p,a)= sup d a {£ a {p),£ a (a)). 

ae(AxC)* 

It is easy to see that 5 a is a pseudo-distance for each a £ A Step and Observation consis- 
tency follow immediately from the definition of S a . We now prove the bounded local respect 
of w. It suffices to show that for any a, 6 £ A, c € C, and reachable density operator p, if 
b */* a, then 

<5 (p,£: 6)C ( /9 ))<2K(S,^). 

In fact, since p is reachable, it holds that p = £p(po) for some /3 £ (A x C)*. Thus, we 
have: 

8 a (p,£b,c(p)) = SU P d a (£ a (p),£ a (£ btC (p))) 

ae(AxC)* 

= SUp d a (£p a (Po),£p(b,c)a(Po)) 
a£(AxC)« 

< SUp [da(«?/3a(/5o),'fpurge Va (/3a)(Po)) 

ae(j4xC)* 

+ <4 (Spurge Va (/3a) (PO ) , £p(b,c)a (Po) )] 

< SUp 4(^a(Po),^purge Va (/3a)(Po)) 
ae(AxC)* 

+ sup d a (£ purgeva ^ a )(p ),£ l3 ^ c ) a (po)) 

ae(AxC)* 

= sup d a (£p a (p ),£ pu { p a) (p )) 

ae(AxC)* 

+ SUp rfa( < ?purge Va (/3(6,c)o) (Po),£/3(b,c)a(Po)) 
a&(AxC)* 

< 2K(8,~*) 

because b a implies purge Va (/3(6, c)a) = purge Va (/3a). ■ 

B. Proof of Theorems in Section |5] 

We first present two technical lemmas needed in the proofs of Theorems 15.11 and 15.21 

Lemma B.l: If all POVM measurements in M are all performed on the first subsystem, 
then we have: 

^m(pi ® P,P2 <8> p) = d M (pi,P2) 

for any density operators p\ , p2 of the first subsystem, and for any density operators p, p' of 
the second subsystem. 

Proof: For each POVM measurement E in M, since it is performed only on the first 
subsystem, we can write E = {E\ (g> where E\ is an operator on the first subsystem 
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for every A, and / is the identity operator on the second subsystem. Thus, 

Pe(pi ® P, A) = tr({E x ® I){ Pl ® p)) 

= tr((E xPl ) ®p) = tr{E xPl ) ■ tr(p) 
= tr(Expi) =p E { P i,X); 

that is, the probability distribution defineed by E and p\ <g) p is equal to that defined by E 
and p\. Similarly, we have pe{P2® p') = Pe{P2)- Therefore, 

d{pE{p\ ® p),Pe(P2 ® P 1 )) = d{p E {pi),PE{p2)), 

and the conclusion follows. ■ 
Lemma B.2: (Convexity of Measurement Distance) Let M be a family of POVM mea- 
surements, let {pi} be a probability distribution, and let pi and <7j be density operators for 
every i. Then 

dmC^PiPii^^PiOi) < y^^PidmiPi^i). 

i i i 

Proof: We first prove the conclusion in the special case where M is a singleton {E}. In 
thos case, we simply write cIe for dm- Suppose that E = {E\}\eA- By definition, we have: 

d E(^2piPi,^2pio-i) 

i i 

= \H E \C£,Pipi)) - tr(E x {Y,pm))\ 



AeA i i 

^ I y^PitrjExpj) - ^Pitr^Exai 

AeA i i 



< ^2y2pi\tr(E x pi) - tr(E X (Ti] 

AeA i 



(13) 



i AeA 

= y^PidE(Pi,o~i)- 

i 

In general, it follows from Eq. (TT3l that 

iy^PiPi,y^pm) = sup d E (s^PiPh y~)pi<ri 

, £eM , , 

< sup y^Pid E {pi,o-i) 

E&W~ 

< y^Pi sup d E (pi,o-i) 
i EeM 

= y^ J Pidm{Pi,o~i)- 
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Now we are ready to prove Theorems 15 . 1 1 and |5 . 2 1 Theorem 15.1 l ean be proved in a way 
that is similar to but easier than the proof of Theorem 15.21 

For Theorem 15.21 we only prove 1) because 2) can be proved in the same way. For each 
a £ A U A', we put 

Va = {b £ A U A' : not b(~* U ~*')a}. 
Then it suffices to show that for all a G [(A U A') x (C U C")]*, 

AiG^aCco), •^purge Vo (a)( cr o) 

where D a is the measurement distance in the composed system T; that is, D a = d^ a . Let 
j3, 7, S be the subsequences of a consisting of elements in A x C, A' x C" and [(^4 \ A') x 
C] U [(A' \ A) X C], respectively, and let (3', ^',5' be the corresponding subsequences of 
purge Va (a). Since the initial state <7o is separable, we can write ctq in the following way: 

= ^Pi{Pi® p'i), 

i 

where {pi} is a probability distribution, and pi,p\ are density operators in H and T-L', re- 
spectively, for every i. 

(i) By definition, we obtain: 

Po = tr w (a ) = ^PiPi. 

i 

So, po is a mixture of ensemble {{pi,Pi)}- Similarly, we see that p' is a mixture of ensemble 

{{Pi,p'i)}- 

(ii) It follows from Eq. CO} that 

^"a(o"o) = yipiFajPi ® Pi) 

j 

because any operator of the form £01^ commutes with any operator of the form Z% <S> £' ■ 
Similarly, we have: 

^purge VQ (a)(o-0) = ^Pi[£p'{pi) £y(p'i)}- 

i 

Now we consider the following three cases: 
Case 1. a E A \ A'. We write: 

Via = {b G A : b a}. 
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Then by the compatibility of ~^ and W we have: 

Va = ViaU (A' \ A), 
/?' = purge Via (/3), 
7' = e (empty string) . 

Furthermore, using Eq. (Tl2l and Lemmas B.l and B.2 we obtain: 

AiG^aO^o), Spurge Va (a) (^o)) 

= dM a Q2pi[£p(pi)® £j(p'i)],^2pi[£i3>(pi) ® £/(pt)]) 

i j 
i 

l^K[ £: purge Via ( / 9)(Pi) ® ft)]) 
i 

< J^Pi^MaCfyfai) ®^7(Pi),^purge 7ia (/3)(Pi) ® Pi)) 

I 

< X) P^M. (fy (Pi) , Spurge Vi „ (f})(pi)) 

i 

<J2PiK(S[ Pi ],^) 

i 

< SK(S,-^). 

Case 2. a E A' \ A. Similar to Case 1. 
Case 3. a G A n A'. We write: 

V 2 a = {b £ A' : 6 />' a}. 

Then by the compatibility of ~^ and ~V we have: 

Va = Via U V2a, 
= purge Via (/?), 

l' = P ur g e V 2 a(7)- 

It follows from Eq. (fT2l and Lemma B.l that 

D a {Sp{pi) <8>£ 7 (p-), Spurge Via (/3)(Pi) ® ^(Pi)) 
= ^M a UM' a (^/3 (Pi )®^ 7 (Pi)> Spurge ^^^(Pi) ® £7 (/>£)) 
= max{d Mo (£/3(Pi) <E>f 7 (Pi),fpurge 7l0 (/3)(Pi) ®^ 7 (ft))> 

d^Spipi) (8>f 7 (Pi) I ^purge Vla ( / 3)(Pi) ®^ 7 (Pi))} 
= rfM a (<f/3(Pi)>^purge Via (/3)(Pi)) 

<^(S[ft],^). 
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Similarly, we have: 



Ai(£purge Via (/3)0i) ® £ 7 (Pi)>£purge 7la G9)(/>i) 
"purge V2 



-(7) W))<A'(S'WWO- 



Therefore, it holds that 

A,(W ® ^>;).W, ia (ffl(ft) ® ^purge V2o(7 )(pD) 
< D a {Sp{pi) ® ^(^),^wrge 7iO 08)(«) ®£ 7 (Pi)) 
+ A*(£purge Via Og)(ft) ® ^ 7 (Pi)> 

f purge Via (^)(pi)®^ p urge V2a ( 7 )(pO) 
<if(S[ft],-)+^(SVi],-'). 

Finally, by Lemma B.2 we obtain: 

-Da (-^a (<70 ) , Spurge Va (a) (o"0 ) ) 

i 

^^^gev^^CPO^^purge^jT)^))]) 

< ^p^D a (^(p;)® 

i 

^purge Via (/3)(^)®^urge Via ( 7 )(ft))) 

<Y / Pims[p i ],^)+K(s'[p'i\,^')] 

i 

i i 

< SK(S,~*) + SK(Sf,~*')] 

C. Proof of Theorem O 

We first prove the following two claims: 

Claim! . S a (£ b)C (p) , S b}C ((r)) < 5 a (p,a) + 2e. 
To prove this claim, we only need to show that for any K £ read(a), 

d{tr K {£ b>c (p)),tr K (£ b ^ c (a))) < S a (p,a) + 2e. 

We consider the following cases: 
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Case 1. p and £b,c(p) are e— discriminable on K. Then it follows from (RM2) that 
£b,c{p) and £ b . c (a) are not 5 b (p, a)— discriminable; that is, 

d(tr K (£ btC (p)),tr K {£ btC {a))) < 5 b (p,a). (15) 

On the other hand, by (RM3) we have K n L / for some L G alter (b), and by condition 
2) of Definition [63] and S read(a) we further obtain b a. This together with condition 
1) of Definition [63] implies that read(b) C read(a), and by definition we have 5ft (p, <r) < 
(5 a (/9, <j). Therefore, it follows from Eq. (fT3T > that 

d(tr K (£ b)C (p)),tr K (£ b)C (a))) < 5 a (p,a). 
Case 2. <r and £{, )C (cr) are e— discriminable on i^T. Similar to Case 1. 

Case 3. p and £ b ,c{p) are not e— discriminable on if, and a and £{, jC (c) are not e— discriminable 
on K. Then it holds that 

d(tr K (£ bjC (p)),tr K (£ btC (a))) < d(tr K (£ bjC (p)),tr K (p)) 

+ d(tr K (p),tr K (a)) + d(tr K (a),tr K (£ b , c (a))) 
< 5 a (p,a) + 2e. 

Claim2 . b a 5 a (p,£ btC (p)) < e. 
To prove this claim, we only need to show that for any K £ read(a), 

d(tr K {p),tr K (£ b ^ c (p)) < e. 

This can be done by refutation. If there exists K G read(a) such that 

d(tr K (p),tr K (£ btC (p)) > e; 

that is, p and £ bjC (p) are e— discriminable on .ff, then by (RM3) we assert that there exists 
L G alter (a) with K C\ L ^ $. It follows from condition 2) of Definition 16 . 3 1 that 6 ~» a. 
This contradicts to the assumption that b a. 

Finally, by combining (RM1) and Claims 1 and 2 and applying Theorem l4.3l we obtain: 

K t (S, ~*)<9 + t- max{2e, e} = 9 + 2te. 
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